I was wondering how you could encrypt/decrypt your querystring in a simple asp.net page? some values need to be passed between different pages but the querystring cannot be changed or read.
Some say httphandles could be the solution for this.
Any thoughts?
MORE BACKGROUND INFO:
hi thx for all the comments. this is the problem, sometimes the sessions disappear without any reason (well there must be one but I don't know it yet). I've looked into the possible reasons but nothing that could cause it is happening. Therefore I cannot rely on it anymore. The cookie solution is a possibility but it will be more work to implement than simply using the querystring. The url can be copied at any time just not changed!
Cheers, M.
-
2This is a Really Bad Idea. If you need to pass values to different pages, why not use a Postback, or a value in the database. Encrypting the query string results in ugly URLs and isn't foolproof.George Stocker– George Stocker2010年06月07日 13:14:10 +00:00Commented Jun 7, 2010 at 13:14
-
1This does smell all over of "bad plan". I really think you may have the wrong architecture. Can you keep this information server-side? You really shouldn't be transferring sensitive information in this way, encrypted or not. Perhaps you can expand on how you think "sessions are unreliable". Maybe you could tell us a use case that you feel this construct provides a solution to.Cheekysoft– Cheekysoft2010年06月07日 13:38:08 +00:00Commented Jun 7, 2010 at 13:38
-
1++ to using a cookie. avoids the session timeout problem you seem to be concerned about below. The only thing you get with what you're trying to do above is your URLs will be copy/paste-able, which you may/may not want. Cookies are tied to a particular machine. Do you want the URL to be sendable via email/IM/etc? The querystring would be your only option if that were the case.Tim Coker– Tim Coker2010年06月07日 13:39:17 +00:00Commented Jun 7, 2010 at 13:39
4 Answers 4
You'll have to encrypt it manually using one of the .Net encryptions. Really this isn't what the query string is for. If you don't want the users to be able to access it, you should find a different way of passing it between pages.
Here is a project that will show you how to do symmetric encryption. http://www.codeproject.com/KB/security/SimpleEncryption.aspx
Dare I mention this, because it will create significant overhead, but you can post your information in the view state and use cross page posts to pass the information around:
2 Comments
I needed to do this and just for reference this was my chosen solution.
Use a HTTPModule to encrypt and decrypt. Then just put the module in the web.config.
Found it here: https://madskristensen.net/blog/httpmodule-for-query-string-encryption/
From the article:
What we need is an HttpModule that can turn the encrypted query string into a normal readable one, so that we can still use our old logic like Request.QueryString["user"]. In other words, we want the user to see this
?enc=VXzal017xHwKKPolDWQJoLACDqQ0fE//wGkgvRTdG/GgXIBDd1
while your code sees this
?user=123&account=456.
Sample code in the article has the module you would add.
Comments
How about adding the value you need to the Viewstate? Viewstate can encrypted and validated for you.
ViewState["myKey"] = "myValue";
and then later
string myValue = ViewState["myKey"]
To enable encryption:
<%@Page ViewStateEncryptionMode="Always" %>
or
<configuration>
<system.web>
<pages ViewStateEncryptionMode="Always" />
</system.web>
</configuration>
Comments
Here is a project that will show you how to do symmetric encryption. http://www.codeproject.com/KB/security/SimpleEncryption.aspx
Dare I mention this, because it will create significant overhead, but you can post your information in the view state and use cross page posts to pass the information around:
Comments
Explore related questions
See similar questions with these tags.